Privacy Notice for Consultants and other External Individuals
About Birmingham Prostate Clinic
Birmingham Prostate Clinic (BPC) is the trading name of The Birmingham Prostate Clinic Ltd, Registered Office: Wilson House, Waterberry Drive, Waterlooville, Hampshire, United Kingdom, PO7 7XX. Company Registration Number 05509497. Registered in England & Wales.
BPC is registered with the Information Commissioner’s Office, registration number ZA441424.
BPC is a wholly owned subsidiary of Genesis Cancer Care UK Limited (GenesisCare) and for the purposes of data protection legislation BPC and GenesisCare jointly control your data.
We are committed to respecting and protecting your privacy whenever we use your personal information and this privacy notice sets out what information about you GenesisCare collects, how that information be used and your legal rights. This Privacy Notice applies to the following groups of individuals:
- Consultants who have applied for, currently hold or have held practising privileges with BPC
- External Individuals such as Oncologists, Surgeons, GP’s, Medical Secretaries and Community Nurse Specialists who do not hold Practising Privileges with the organisation but have expressed an interest in or refer into BPC.
The GenesisCare privacy notices can be found at: www.genesiscare.com/uk/
What information do we collect?
We will collect, use and store your personal data for a wide variety of reasons in connection with the professional relationship between us. The main categories of personal data we may collect are:
- Your name and contact details (postal and email addresses and phone numbers)
- Right to work documentation
- Qualifications, experience, CV and scope of practice and suitability
- Details relating to your professional registration such as your GMC number and revalidation
- Details of any suspensions, disciplinary actions or criminal convictions
- Details of your insurer
- Appraisal documentation and Personal Development Plan
- Bank details
- ICO registration
- Secretary and emergency next of kin
- Identification documents
- DBS certificate
- Certificates of Continued Professional Development
- Details of patient feedback, complaints, adverse events and near misses
- Information relating to your health that may affect your ability to practice or the health and safety of patients and staff
How do we obtain your information?
BPC works closely with Consultants and External Individuals to support the delivery of our services. First and foremost, we will look to identify potential compatible business opportunities. We do this by collecting information:
- Directly from you i.e. if you apply for practising privileges or would like to work with BPC
- Available in the public domain such as Consultant Finders and professional profiles
- Through recommendations and third party service providers such as Wilmington Healthcare.
How do we use your information?
We use a third party service provider called Broadley Speaking to identify and progress potential business opportunities. Broadley Speaking may contact you on our behalf to talk about our services. We may also contact you directly.
Where you choose to apply for practising privileges, we will collect and retain information about you relevant to your application and if successful, information needed to manage your ongoing relationship with us. We will carry out checks such as obtaining references, DBS, confirming your previous employment, professional and regulatory registrations and right to work. This will entail collecting information directly from you, your previous employer/s and relevant regulatory and professional bodies.
Once your practising privileges have been granted, your name, role, department or section, work email address and telephone number may appear in the GenesisCare internal directory. This information may also appear on externally facing webpages and publications.
We will use your information to help fulfil other contractual obligations such as annual reviews, processing payments and ensuring you are up to date with your statutory and mandatory training.
We may keep a log of and record incoming telephone calls to ensure individuals contacting the organisation receive an appropriate response and for quality monitoring, training and compliance purposes.
We may monitor use of IT equipment, systems, network and internet access through user names and log-ins to ensure adherence to the Acceptable Use Guidelines, statistical purposes or monitoring systems access to ensure access is appropriate and identifying/preventing security breaches.
As a company pursuing healthcare activities, we may sometimes need to process your data to pursue our legitimate business interests. This will be in ways that you would reasonably expect, the nature of which include:
- Administrative purposes during clinical trials
- Using your personal data within our systems and communications so that BPC employees (including employees within the GenesisCare groups), Health Care Professionals, suppliers, patients and any other party we share information with for our business purposes, know who you are and are able to contact you
- Providing you with appropriate tools, systems and access to support so that you are able to carry out your tasks effectively
- Support the reporting and investigation of any incidents, near misses, complaints or concerns
In order to safeguard our staff, doctors, patients and visitors (including all their families), you will be required to complete a test for SARS-CoV-2, which will be on-going until all government shielding and social distancing measures due to SARS-CoV-2 have been lifted.
To protect your health and care needs we may share your confidential information including health and care records with clinical and non-clinical staff internally within the organisation and with other health and care providers and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by the NHS and other health and social care organisations to support the COVID-19 response can be found at https://www.nhsx.nhs.uk/covid-19-response/data-and-covid-19/how-data-supporting-covid-19-response/.
Innova Lateral Flow Antigen Test (LFT)
An LFT is a rapid test for Covid-19 which can be self-administered to allow to faster results which will further mitigate the risk of transmission in our centres. All Consultants, visitors and contractors attending a BPC Clinic will be provided with a test kit on arriving at reception and will be required to evidence a negative result before being allowed further access to our buildings. All tests and results, irrespective of the outcome will be recorded by our reception team.
Our lawful basis for processing your personal data is legitimate interest as the processing is necessary during the Covid-19 pandemic to control, and wherever possible, prevent the spread of infection. We may also be legally required to share personal data under the Notice issued by the Secretary of State under Regulation 3(4) of the Health Service Control of Patient Information Regulations issued on the 1st April 2020. In relation to your special category data, the processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services.
Other purposes may also include:
- Providing facilities such as building access and car parking provision
- Preventing and detecting crime and managing a safe working environment
- Managing engagement activities and events
- Managing information technology and communications systems, such as the corporate email system and company directories
- Conducting ethics and investigations
- Management reporting analysis
- Complying with applicable legal obligations, including government reporting and specific local law requirements; and
- Managing mergers, acquisitions and divestitures.
Lawful Basis for Processing
Whenever we use your personal data, we will have a lawful basis for processing the data in accordance with data protection law. Our lawful basis for processing generally falls into the following categories:
|Data type||Lawful bias of processing||Examples|
|Personal Data||The processing is necessary for the purpose of legitimate interests||· Marketing and engagement training|
· Training, monitoring and reporting
· Administration, management of user accounts, communication and collaboration
· Profile your BPC related activity
|Personal Data||The processing is necessary for the performance of a contact||· Determining whether you should be offered practising privileges|
· Annual reviews
|Personal Data||The processing is necessary to comply with the law||· Response to court orders or regulatory bodies|
· Data subject rights requests
· Checking your legal entitlements to work in the UK
|Sensitive Data||Processing is necessary for the purpose of carrying out the obligation and exercising specific rights of the controller or of the data subject in the file of employment and social security and social protection law||· Carrying out criminal background checks to meet safeguarding requirements and protect people from harm|
|Sensitive Data||Processing is necessary for the purpose of the provision of health or social care or treatment or the management of health or social care systems and services||· Ascertaining your fitness to work|
Who will my information be shared with?
Where you hold practising privileges with BPC, you will have access to certain information about you via Workday. This GenesisCare platform managed by the People & Culture (P&C) function provides self-service functionalities so you can complete, correct or remove the personal data you have added to your personal file in Workday. Please note if you remove certain types of information this may have an effect on your relationship with us.
Relevant information will be shared internally within both BPC and GenesisCare with individuals who directly support the Practising Privileges process e.g. our Chief Medical Officer, Quality Team and the relevant Centre Leader and/or Clinic Manager.
We use a third party service provider to support our business development and marketing activities.
Your personal data will be accessed by other relevant GenesisCare UK departments, such as finance, but only to the extent necessary to fulfil their respective tasks. GenesisCare Australia also has access to this personal data to provide functional support to GenesisCare UK.
We may share information about you with our regulators, including the Care Quality Commission and supervisory authorities during the course of enquiries or necessary reporting.
We participate in programmes run by the Private Healthcare Information Network (PHIN) which enabling patients to compare privately-funded healthcare (both hospitals and consultants).
Sometimes, we are required to disclose information about you because we are legally required to do so. This may be because of a court order or because a regulatory body has statutory powers to access Consultants’ records as part of their duties to investigate complaints, accidents or Consultants’ fitness to practice.
Information about you may also be shared with the police and other third parties where reasonably necessary for the prevention or detection of crime.
On occasion, we may need to share information about you without obtaining your explicit consent. This will only occur if the processing is necessary:
- To protect your vital interests and you cannot give your consent or your consent cannot reasonably be obtained, for example, in a medical emergency
- To protect another person’s vital interest and you have unreasonably withheld your consent
- To comply with data subject rights requests in circumstances where it is reasonable in all the circumstances to disclose your information
- To meet our statutory obligations or in response to a court order
- For the purpose of prevention or detection of crime, the apprehension or prosecution of offenders.
Where we share information with other third party suppliers working under contract on behalf of the organisation to provide specific services on our behalf, for example payment processing, IT support and our telephony system. Where this happens, suppliers are bound by strict contractual provisions and safeguards. These companies have no right to use your information except on our behalf for the specified purposes or when required to do so by law.
International transfers of your personal information
We are part of a global organisation and we (or third parties acting on our behalf) may store or process personal information within the GenesisCare group of companies for administrative and management purposes. The group companies are located in Spain and Australia and the United States. This processing is based on our own or a third party’s legitimate business interests.
As a global organisation GenesisCare may engage global suppliers for the provision of services to the GenesisCare group of companies and such suppliers may also be located outside the UK.
Where we transfer your personal data to a third country or international organisation, we will ensure adequate safeguards and measures are in place to protect your personal data from unlawful use and ensure your fundamental rights are capable of being upheld. We would normally achieve this by:
- Only transferring personal data to countries deemed capable of providing an adequate level of protection; or
- Implementing Standard Contractual Clauses; and
- Adopting technical, organisational and contractual measures, where required.
In certain situations, it may be possible to legitimise the transfer by relying on a derogation. For example, if:
- You have explicitly consented to the proposed transfer; or
- The transfer is necessary for the performance of a contract.
In all cases any transfer of your personal information will be compliant with applicable data protection law. If you would like further information regarding the steps we take to safeguard your personal information when making international transfers, please contact the DPO using the details at the foot of this Privacy Notice.
How we will secure your personal data
We take privacy seriously and will ensure your personal data is appropriately secured and protected from being accidentally or deliberately compromised.
Those staff members managing the P&C function are trained to handle your data correctly and to protect your confidentiality and privacy.
We maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your data is never collected or sold for direct marketing purposes.
Technical and organisational measures we take to ensure the security of your information include:
- An established network of individuals across the organisation who are accountable and responsible for information risk management
- Existence of various organisational measures including policies and procedures, providing regular training in handling personal data lawfully and conducting regular compliance checks
- Lockable rooms, cabinets, individual log in credentials, encryption and secure disposal of confidential waste
- Ensuring only appropriate individuals have access to relevant and proportionate information about you
- Restricted access to electronic systems and folders
- Carrying out checks on third parties who process personal data on our behalf.
How long do we keep your personal data?
We retain your records for certain periods (depending on the particular type of record) in accordance with our Records Lifecycle and Retention Procedure.
|Record type||Retention Start||Retention Period||Notes|
|Practising Privileges Record||Expiry of Practising Privileges||6 years||Evidence of right to work, security checks, recruitment documentation, application forms, training records, references, contracts, annual reviews, certificates registration evidence of vaccinations|
|Log of incoming calls||Date of entry||3 months||Calls received by the organisation overflow telephony service provider|
|Telephone recordings||Date of recording||51 days||Calls into the organisation’s centre using a static or dynamic number|
|Direct Marketing opt-out||Date of opt-out||Indefinitely||To ensure wishes are upheld|
|Record of engagements with the GenesisCare Business Development Team||Expiry of Practising Privileges||2 years||Refers to Consultants with Practising Privileges|
|Record of engagements with the GenesisCare Business Development Team||Last activity||2 years||Refers to External Individuals|
|Records of events attended dietary and accessibility preferences||Date of event||4 weeks|
|Payments||Close of financial year||10 years|
|Complaints case file||Closure of complaint||10 years|
|Subject Access Request (SAR) and disclosure correspondence||Closure of SAR||3 years|
|Subject Access Request where there has been a subsequent appeal||Closure of appeal||6 years|
You have the right to “opt out” of receiving direct marketing. If you ask us not to call or contact you again in relation to marketing activities, we will add you to our “opt-out” list, ensuring we do not accidentally send you further information
Your rights and your data
If in the future we intend to process your personal data for a purpose other than that which it was collected we will provide you with information on that purpose and any other relevant information.
Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data.
You are entitled to:
- A description of the personal information we hold about you
- Why this information is being collected and processed
- Know to whom your information may be disclosed
- Know where the information came from, if this is not clear
- Have a copy of the information on request – this is called a subject access request
- Ask for any errors or out-of-date information to be corrected
Unless an exemption applies, you have the following rights with respect to your personal data:
- The right to request a copy of your personal data which the organisation holds about you.
- The right to request that the organisation corrects any personal data if it is found to be inaccurate or out of date.
- The right to request your personal data is erased where it is no longer necessary for the organisation to retain such data.
- Where your consent is relied upon as a processing condition, the right to withdraw your consent to the processing at any time; any such withdrawal will not affect the lawfulness of the processing before your consent was withdrawn.
- The right to request that the organisation provides you with your personal data and where possible, to transmit that data directly to another data controller, (the right to data portability), where applicable. (This right only applies where the processing is based on consent or is necessary for the performance of a contract with you and in either case the data is processed by automated means.)
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.
- The right to object to the processing of personal data, where applicable. (This right only applies to profiling or where processing is based on legitimate interests; the performance of a task in the public interest; direct marketing and processing for the purposes of scientific/historical research and statistics.)
Updates to this Privacy Notice
We may update this Privacy Notice from time to time to ensure that it remains accurate. In the event that these changes result in any material difference to the manner in which we process your personal data we will signpost you to the specific changes.
Information Commissioners Office (ICO)
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, for example if you are unhappy with the way that we have dealt with a request from you to exercise your rights, or if you think we have not complied with our legal obligations.
Whilst you are not obliged to do so, we would appreciate you making us aware of any issue prior to notifying the ICO and giving us the opportunity to respond. Please contact the BPC DPO whose details are at the foot of this privacy notice.
Making a complaint will not affect any other legal rights or remedies that you have.
Information Commissioner’s Office, at email@example.com, or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or telephone 0303 123 1113 (local rate call). Website: https://ico.org.uk/
Questions and queries
If you have any queries or would like to exercise your rights or to establish whether any rights apply to you, please contact the People & Culture department or you can email firstname.lastname@example.org
If you have any questions about this privacy notice or how we handle your personal data please contact the DPO:
Data Protection Officer: BPCdpo@genesiscare.co.uk or telephone 07